Systems and methods for detecting and mitigating cyber security threats
Abstract
A cyber security system includes a plurality of event sensors to detect events, a plurality of inference servers, and a server in communication with the plurality of inference servers. Each inference server of the plurality is in communication with a subset of event sensors of the plurality of event sensors. Each inference server has a portion of an event lattice and is to compare the event detected by the subset of event sensors to the event lattice. Each inference server is to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator. The server is to provide an interface indicating the behavior pattern indicative of an attack and the identifier of the originator.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A cyber security system comprising:
a plurality of event sensors to detect events;
a plurality of inference servers, each inference server of the plurality in communication with a subset of event sensors of the plurality of event sensors, the each inference server having an event lattice and to compare an event detected by the subset of event sensors to the event lattice, the each inference server to identify an originator having a behavior pattern indicative of an attack and communicating an identifier associated with the originator, wherein the event lattice includes a set of event nodes and a set of nodes linked to event nodes of the set of event nodes, each node having a node position corresponding to events sensed by the event sensors; and
a server in communication with the plurality of inference servers, the server to provide an interface indicating the behavior pattern indicative of a network attack and the identifier of the originator.
2. The cyber security system of claim 1 , wherein the event lattice of the each inference server is different from the event lattice of another inference server of the plurality of inference servers.
3. The cyber security system of claim 1 , wherein the behavior pattern of the originator is indicated by the node position.
4. The cyber security system of claim 1 , further comprising an event router to direct the detected events to an inference server of the plurality of inference servers based on the event lattice implemented by the inference server.
5. The cyber security system of claim 1 , wherein the event lattice is derived using Association Rule Learning.
6. The cyber security system of claim 5 , wherein Association Rule Learning includes Formal Concept Analysis.
7. The cyber security system of claim 5 , wherein Association Rule Learning includes Frequent Item Sets.
8. The cyber security system of claim 5 , wherein Association Rule Learning includes Triadic Concept Analysis.
9. The cyber security system of claim 1 , wherein an event sensor of the plurality of event sensors is to detect events comprising a signature in a network packet.
10. The cyber security system of claim 1 , wherein an event sensor of the plurality of event sensors is to detect events comprising memory usage patterns.
11. The cyber security system of claim 1 , wherein an event sensor of the plurality of event sensors is to detect events comprising central processing unit usage patterns.
12. The cyber security system of claim 1 , wherein an event sensor of the plurality of event sensors is to detect network event comprising an application access.
13. A method for preparing a cyber security system, the method comprising:
receiving annotated event and behavior data, a portion of the event and behavior data indicative of an attack on computing assets;
forming an event lattice using formal concept analysis of the annotated event and behavior data, the event lattice including event nodes associated with events, the event lattice including at least one behavior pattern indicative of an attack on the computing assets, wherein the event lattice includes a set of the event nodes and a set of nodes linked to event nodes of the set of the event nodes, each node of the set of nodes having a node position corresponding to events sensed by the event sensors; and
configuring event sensors to detect events associated with nodes of the event lattice.
14. The method of claim 13 , further comprising dividing the event lattice into portions, each portion associated with a set of event sensors.
15. The method of claim 14 , further comprising assigning a portion of the event lattice to an inference server associate with the set of event sensors.
16. The method of claim 15 , further comprising deploying the event sensors and the inference server to the computing assets.
17. The method of claim 16 , wherein deploying includes installing the inference server on a device.
18. The method of claim 17 , wherein the device is a router, firewall, switch, access point, or load balancer.
19. The method of claim 17 , wherein the device is a server.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.